[P.S: This is a guest post from Ms Badal Patel, Gurugram.]
Privacy rights have come to the forefront in recent years due to the exponential role played by the internet and social media in our everyday life. The question of how the privacy of a person is affected by the internet cannot be answered in a few words. Data is collected from even the most basic search a person makes. But these violations have huge implications on the privacy of a person and hence the personal data has to be protected.
The General Data Protection Regulation was one such regulation introduced by the EU to protect the data of its member states and its citizens. This Regulation is not region-specific and has an extraterritorial application (Article 3 of the GDPR). Any third parties who intend to get into agreement with the EU members have to strictly comply with these regulations, the non-adherence of which would result in penalties.
Moreover, under Article 44 of the Regulations, it is stated that the flow of personal information from the EU to a non-EU country can only take place if that country is in compliance with the GDPR standards. Under Article 45, the regulations have laid down certain levels of standards that the non-EU country shall meet for the flow of information to take place without any additional authorization. The circumstances looked into is whether that country has provided a safe environment for personal data and information protection. The data privacy rules are reviewed and their effectiveness calculated. The international conventions or treaties that the non-EU nations have has entered into shall also be looked into.
In India, with the recent decision given in Justice Puttuswamy v. Union of India, the Supreme Court, for the very first time, explicitly recognized the right to privacy of a person. With this landmark decision, the prevailing conditions of privacy and data protection came under scrutiny. The introduction of the Data Protection Bill of 2019 is a huge step in this direction and was a direct result of the historic judgment. This bill was put forward by Justice B.N. Srikrishna Committee which was appointed to analyze the current laws regarding data protection and also to suggest more contemporary regulations to be put in place. This Bill specifically focuses on the data protection regulations for protecting the personal data of Indian citizens. The EU has given GDPR adequacy approval to only thirteen countries. India has not received this approval but the new Bill has the potential to pave the way for the grant of the EU approval. Receiving this approval would both boost the IT sector in the country and will also make the compliance requirements to the GDPR much simpler for Indian Companies.
The Indian companies are required to comply with the GDPR for conducting transactions with the EU. Before understanding the compliance requirements, it is necessary to look into two terms used under the GDPR for the better understanding of the requirements; controller and processor.
Article 4 of the GDPR defines both these terms as given below:
“ (7) controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
(8)‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;”
Both these terms are extensively used throughout the Regulations. The controller acts as the principal and the processor acts as the agent of the controller and acts on his request. It is important to understand what they are as the responsibility thrust on them is quite different from each other.
The requirements that Indian Companies need to comply with can be put into a checklist.
1. Records of Processing Personal Data Activities
Article 30 of the Regulations elaborates on the details to be recorded when it comes to the processing of the personal data. Paragraphs 1 and 2 of the Article enumerates the information to be recorded by the controller and the processor respectively. Both these lists are very specific and impose specific recording obligations on both the controller and the processor. As per paragraph 3, these records shall be in writing. They are also under the obligation to make the record available to their supervisory authority on request.
The information that is to be recorded under paragraphs 1 and 2 specifically points to disclosures are to be made when the personal data is transferred to third countries or international organisations, and the identification of such third countries and international organisations should be made along with the safeguards taken to ensure the safety of personal data in such cases.
The definition of ‘personal data’ is wide but must be ascertained in order to inform individuals about what type of personal data is being collected. ‘Personal data’ means any information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
2. Determine if the company is a data processor or a Data controller
The determination of whether a company is a data processor or a data controller is very important both for absolving the liability of the company and for imposing liability on the company. The definitions of both these terms have been mentioned earlier in this article. The definition is not an elaborate one. It only differentiates the controller and the processor based on whether they are in charge of the data and on who has the responsibility to process it. But the Regulation is very elaborate and it places specific responsibilities and liabilities on both the controller and the processor. Hence, it is important to understand whether you are a controller company or processor company to understand the responsibilities that fall on you and to fulfil them to ensure that there is no liability on your part.
Article 24 of the Regulations speaks about the “Responsibility of the Controller”. Paragraph 1 of the article lays an obligation on the controller company to implement appropriate technical and organisational measures to ensure compliance with the Regulations. Article 28 elaborates on the processor and his obligations both towards the controller and the data subject.
In order to understand which category you fall under, in simple terms, the power you have over the data is to be looked at. To be more accurate, the controller will have the following powers:
● To determine what is to be collected from the data subject.
● How to store the data collected.
● To what end the collected data is used and what portion of the data is to be used.
● To set guidelines for the data processor to follow while processing the data.
The data processor will have only the power to process the data as per the contract between them and the data controller. They will not have any power to augment the data in any way and the actions they take have to be in compliance with the Regulations.
The Indian companies have to update their internal procedures to be GDPR compliant. One of the procedures that they have to adhere to is issuing notices and taking consent from the data subjects. These provisions are given under Article 12-14 and 19.
Article 12 lays the model in which data is to be collected and the relevant disclosures that are necessary when data is collected from different categories of data subjects by the Controller. This provision also enables the Controller to request for additional information when there is a necessity to confirm the identity of the data subject. Article 13 lays down the information disclosure requirements when the personal data is collected from the data subject. Under this Article, paragraph 1, there is a specific list of information that the controller has to disclose. Paragraph 2 provides additional disclosure requirements that the controller has to provide to ensure fair and transparent processing. Under Paragraph 3, it also says that if the controller intends to further process the data for something other than the purpose it was collected for, he has to give notice to the data subject prior to such processing. Under Article 14 lays down the information to be provided when the personal data is collected but not from the data subject.
Under Article 19, the controller has the obligation to communicate any rectification or erasure of personal data to each recipient the data has been disclosed to and to inform the data subject about the recipients of the data.
4. Rights of Data subjects
Under the GDPR, an entire chapter (Chapter 3) is dedicated to set forth the rights of the data subjects. There are 11 Articles (Articles 12-23) under this chapter. For an Indian Company to be compliant with the GDPR, they have to ensure that these rights are safeguarded. Article 12,13,14 and 19 have been elaborated under the previous sub-topic. Article 15 provides for the right to access any information as to the data obtained by the controller from the data subject. Under this Article, the data subject also has the right to be notified if his personal data is being transferred to a third country or international organisation. Article 16 guarantees a right to rectify personal data to the data subject. Under Article 17, the data subject will have the right to request the controller for erasing any personal data pertaining to them and the controller is liable to oblige without undue delay. As per Article 18, the data subject has the right to place restrictions on the processing of data by the controller. Article 20 enumerates the rights the data subject has in relation to portability of the data provided by him to the controller and how he can obtain it from the controller and transfer it to another person. Another right that is available to the data subject is the right to object to the processing of his personal data under Article 21. Under Article 22, the data subject has the right to not be subject to profiling resulting from the processing of his data. But under Paragraph 2, certain exceptions to this right are provided. If the Indian company is successful in incorporating all these rights into their framework, they will be GDPR compliant.
5. Update the security incident management processes
Ensuring the security of the personal data of natural persons belonging to the EU are at the core of the GDPR guidelines. Article 33 lays down that in case of a personal data breach the controller shall without delay (not more than 72 hours) notify the personal data breach to the supervisory authority. The controller has an obligation to document the data breaches, its effects and the remedial action taken. Under Article 34, when there is personal data breach, the controller has the responsibility to communicate this breach to the data subjects without undue delay. There are also certain exceptions provided under Paragraph 3 of the Article.
6. Working of the Data Protection Impact Assessment (DPIA)
A data protection impact assessment is done by the controller to assess the impact of the processing of data especially if a new processing technique is used and the risk to the rights and freedoms of the natural persons is higher. Article 35 of the Regulations the provisions regarding data protection impact assessment. Paragraph 3 of the Article lists out the cases where such an assessment will be mandatorily be required. Paragraph 7 points out what all the assessment should contain. Article 36 lays down an obligation on the controller to consult the supervisory authority prior to the processing in case there is a higher risk present. Under paragraph 3 of the Article, the supervisor is liable to provide certain information to the supervisory authority regarding the same.
7. Appointment of a Data Protection Officer
Articles 37,38 and 39 are the provisions which are dealing with the appointment of the data protection officer. Under Article 37, a data protection officer needs to be appointed by the controller and the processor when the circumstances are those which are given under paragraph 1 of the Article. As per Article 38, the Controller and the processor shall facilitate the functioning of the tasks of the Data Protection Officer given under Article 39. The tasks that the Data Protection Officer is responsible for is listed out in paragraph 1 of the Article. So, an Indian company, be it a controller or a processor, will have to appoint a Data Protection Officer if they fall under the criteria given under Article 37.
8. Displaying legitimate interest as to why the Personal Data is being collected and how the company intends on using it.
Under Article 6 (1), there is a list of criteria given to determine the lawfulness of the processing of the data. At least one of the given criteria has to be fulfilled for the processing to be lawful. One of the criteria that is given is legitimate interests pursued by the controller. But sadly, what constitutes legitimate interest is not defined in the regulations. Recital 47 under the GDPR explains that legitimate interest could exist:
● Where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller.
● The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned.
● The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.
So showing legitimate interest is essential in the collection of data from the data subject.
The GDPR is extremely relevant in today’s world where the personal data of the persons are collected for various purposes. The implementation of GDPR ensures that there is transparency and the personal data is safeguarded. Hence the Regulations mandates that disclosures are made to the data subject as to the purpose of collecting the data.
9. Transferring personal data outside the European Economic Area (‘EEA’)
10. Policy language
Privacy policies should be clear and easy to understand by individuals who have no knowledge of privacy law. There should be a translation of the policy to the relevant local language made available if the website targets users of different countries.
The compliance requirements will be significantly simpler and easier if the Data Protection Bill (2019) is passed and the provisions in the Bill are accepted as adequate by the EU for the protection of personal data. In the eventuality of this acceptance, India stands to gain a lot of benefits. It will have a positive impact on the IT sector and it will also ensure that the personal data of her citizens are protected.
P.S: This is a guest post. Views expressed here in are the views of the author.